diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-14 19:39:42 +0400 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2014-04-14 19:39:42 +0400 |
commit | 40100ccac6fd0aa5069abe65fa5c159cdd38c7b4 (patch) | |
tree | 7b7d29a4789be3fb86330d7dba38f927d470fa2f /core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java | |
parent | 4aa5d5b99a2d9d15a3ce0912f453d425be427693 (diff) |
Enforce CertificateVerify signature verification
Diffstat (limited to 'core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java')
-rw-r--r-- | core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java index c78cb95c..9e054897 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java @@ -476,6 +476,7 @@ public class DTLSServerProtocol TlsProtocol.assertEmpty(buf); // Verify the CertificateVerify message contains a correct signature. + boolean verified = false; try { // TODO For TLS 1.2, this needs to be the hash specified in the DigitallySigned @@ -487,11 +488,15 @@ public class DTLSServerProtocol TlsSigner tlsSigner = TlsUtils.createTlsSigner(state.clientCertificateType); tlsSigner.init(state.serverContext); - tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(), + verified = tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(), clientCertificateVerify.getSignature(), publicKey, certificateVerifyHash); } catch (Exception e) { + } + + if (!verified) + { throw new TlsFatalAlert(AlertDescription.decrypt_error); } } |