Indicate where SignatureAndHashAlgorithm has to be selected when sending

CertificateVerify

1 files changed, 4 insertions, 3 deletions

diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
index 0c35d489..e661a37c 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java
@@ -373,12 +373,13 @@ public class TlsClientProtocol
                 if (clientCreds != null && clientCreds instanceof TlsSignerCredentials)
                 {
                     TlsSignerCredentials signerCreds = (TlsSignerCredentials)clientCreds;
-                    byte[] md5andsha1 = recordStream.getCurrentHash(null);
-                    byte[] signature = signerCreds.generateCertificateSignature(md5andsha1);
                     /*
                      * TODO RFC 5246 4.7. digitally-signed element needs SignatureAndHashAlgorithm from TLS 1.2
                      */
-                    DigitallySigned certificateVerify = new DigitallySigned(null, signature);
+                    SignatureAndHashAlgorithm algorithm = null;
+                    byte[] hash = recordStream.getCurrentHash(null);
+                    byte[] signature = signerCreds.generateCertificateSignature(hash);
+                    DigitallySigned certificateVerify = new DigitallySigned(algorithm, signature);
                     sendCertificateVerifyMessage(certificateVerify);
 
                     this.connection_state = CS_CERTIFICATE_VERIFY;