diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2013-05-20 12:53:48 +0400 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2013-05-20 12:53:48 +0400 |
| commit | 52aa8b6955fbb604d636be81f234dd3aa93168cf (patch) | |
| tree | b6db848e6b273e7e1abaa73e52c6ec9fbb06d974 | |
| parent | 3e7aacd204310cb449338c41a4a54848976ccb95 (diff) | |
Calculate the CertificateVerify handshake hash correctly
| -rw-r--r-- | src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java index 7669471a..e1a911f1 100644 --- a/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java +++ b/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java @@ -26,8 +26,10 @@ public class TlsServerProtocol extends TlsProtocol { protected TlsKeyExchange keyExchange = null;
protected CertificateRequest certificateRequest = null;
+
protected short clientCertificateType = -1;
protected Certificate clientCertificate = null;
+ protected byte[] certificateVerifyHash = null;
public TlsServerProtocol(InputStream input, OutputStream output, SecureRandom secureRandom) {
super(input, output, secureRandom);
@@ -78,7 +80,7 @@ public class TlsServerProtocol extends TlsProtocol { switch (this.connection_state) {
case CS_CLIENT_KEY_EXCHANGE: {
- if (expectCertificateVerifyMessage()) {
+ if (this.certificateVerifyHash != null) {
this.failWithError(AlertLevel.fatal, AlertDescription.unexpected_message);
}
// NB: Fall through to next case label
@@ -250,7 +252,7 @@ public class TlsServerProtocol extends TlsProtocol { * signing capability (i.e., all certificates except those containing fixed
* Diffie-Hellman parameters).
*/
- if (!expectCertificateVerifyMessage()) {
+ if (this.certificateVerifyHash == null) {
this.failWithError(AlertLevel.fatal, AlertDescription.unexpected_message);
}
receiveCertificateVerifyMessage(buf);
@@ -382,10 +384,10 @@ public class TlsServerProtocol extends TlsProtocol { assertEmpty(buf);
- // TODO Needs to exclude the certificate verify message itself
- byte[] md5andsha1 = recordStream.getCurrentHash(null);
-
- // TODO Verify the signature against the client certificate
+ /*
+ * TODO Verify 'clientCertificateSignature' over 'this.certificateVerifyHash', against
+ * 'this.clientCertificate'.
+ */
}
protected void receiveClientHelloMessage(ByteArrayInputStream buf) throws IOException {
@@ -498,6 +500,10 @@ public class TlsServerProtocol extends TlsProtocol { * Initialize our cipher suite
*/
recordStream.setPendingConnectionState(tlsServer.getCompression(), tlsServer.getCipher());
+
+ if (expectCertificateVerifyMessage()) {
+ this.certificateVerifyHash = recordStream.getCurrentHash(null);
+ }
}
protected void sendCertificateRequestMessage(CertificateRequest certificateRequest) throws IOException {
|