// Package fingerprint provides JA4/JA3 fingerprint generation for TLS ClientHello package fingerprint import ( "fmt" "ja4sentinel/api" tlsfingerprint "github.com/psanford/tlsfingerprint" ) // EngineImpl implements the api.Engine interface for fingerprint generation type EngineImpl struct{} // NewEngine creates a new fingerprint engine func NewEngine() *EngineImpl { return &EngineImpl{} } // FromClientHello generates JA4 (and optionally JA3) fingerprints from a TLS ClientHello // Note: JA4Hash is populated for internal use but should NOT be serialized to LogRecord // as the JA4 format already includes its own hash portions (per architecture.yml) func (e *EngineImpl) FromClientHello(ch api.TLSClientHello) (*api.Fingerprints, error) { if len(ch.Payload) == 0 { return nil, fmt.Errorf("empty ClientHello payload") } // Parse the ClientHello using tlsfingerprint fp, err := tlsfingerprint.ParseClientHello(ch.Payload) if err != nil { return nil, fmt.Errorf("failed to parse ClientHello: %w", err) } // Generate JA4 fingerprint // Note: JA4 string format already includes the hash portion // e.g., "t13d1516h2_8daaf6152771_02cb136f2775" where the last part is the SHA256 hash ja4 := fp.JA4String() // Generate JA3 fingerprint and its MD5 hash ja3 := fp.JA3String() ja3Hash := fp.JA3Hash() // Extract JA4 hash portion (last segment after underscore) // JA4 format: __ // This is kept for internal use but NOT serialized to LogRecord ja4Hash := extractJA4Hash(ja4) return &api.Fingerprints{ JA4: ja4, JA4Hash: ja4Hash, // Internal use only - not serialized to LogRecord JA3: ja3, JA3Hash: ja3Hash, }, nil } // extractJA4Hash extracts the hash portion from a JA4 string // JA4 format: __ -> returns "_" func extractJA4Hash(ja4 string) string { // JA4 string format: t13d1516h2_8daaf6152771_02cb136f2775 // We extract everything after the first underscore as the "hash" portion for i, c := range ja4 { if c == '_' { return ja4[i+1:] } } return "" }