Enforce CertificateVerify signature verification

author: Peter Dettman <peter.dettman@bouncycastle.org> 2014-04-14 19:39:42 +0400
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2014-04-14 19:39:42 +0400
commit: 40100ccac6fd0aa5069abe65fa5c159cdd38c7b4 (patch)
tree: 7b7d29a4789be3fb86330d7dba38f927d470fa2f /core/src/main/java/org/bouncycastle/crypto/tls
parent: 4aa5d5b99a2d9d15a3ce0912f453d425be427693 (diff)
2 files changed, 12 insertions, 2 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
index c78cb95c..9e054897 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
@@ -476,6 +476,7 @@ public class DTLSServerProtocol
         TlsProtocol.assertEmpty(buf);
 
         // Verify the CertificateVerify message contains a correct signature.
+        boolean verified = false;
         try
         {
             // TODO For TLS 1.2, this needs to be the hash specified in the DigitallySigned
@@ -487,11 +488,15 @@ public class DTLSServerProtocol
 
             TlsSigner tlsSigner = TlsUtils.createTlsSigner(state.clientCertificateType);
             tlsSigner.init(state.serverContext);
-            tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(),
+            verified = tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(),
                 clientCertificateVerify.getSignature(), publicKey, certificateVerifyHash);
         }
         catch (Exception e)
         {
+        }
+
+        if (!verified)
+        {
             throw new TlsFatalAlert(AlertDescription.decrypt_error);
         }
     }
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
index 44b4998c..f33ed554 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
@@ -431,6 +431,7 @@ public class TlsServerProtocol
         assertEmpty(buf);
 
         // Verify the CertificateVerify message contains a correct signature.
+        boolean verified = false;
         try
         {
             // TODO For TLS 1.2, this needs to be the hash specified in the DigitallySigned
@@ -442,11 +443,15 @@ public class TlsServerProtocol
 
             TlsSigner tlsSigner = TlsUtils.createTlsSigner(this.clientCertificateType);
             tlsSigner.init(getContext());
-            tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(),
+            verified = tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(),
                 clientCertificateVerify.getSignature(), publicKey, certificateVerifyHash);
         }
         catch (Exception e)
         {
+        }
+
+        if (!verified)
+        {
             throw new TlsFatalAlert(AlertDescription.decrypt_error);
         }
     }
author	Peter Dettman <peter.dettman@bouncycastle.org>	2014-04-14 19:39:42 +0400
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2014-04-14 19:39:42 +0400
commit	40100ccac6fd0aa5069abe65fa5c159cdd38c7b4 (patch)
tree	7b7d29a4789be3fb86330d7dba38f927d470fa2f /core/src/main/java/org/bouncycastle/crypto/tls
parent	4aa5d5b99a2d9d15a3ce0912f453d425be427693 (diff)