Explicitly fail on CertificateVerify in TLS 1.2 server

Add test coverage for known issue
author: Peter Dettman <peter.dettman@bouncycastle.org> 2014-04-15 15:05:28 +0400
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2014-04-15 15:05:28 +0400
commit: 3efee8b0f1e67c727b0c204c45ef399a5c9c4652 (patch)
tree: c58655f68db40242d8b8d1e4a65882bcbad69c7c /core/src
parent: 56e63e21b83fe0c854db7c6c6ff8e90c68a4accb (diff)
3 files changed, 22 insertions, 3 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
index 9e054897..ac11b8ea 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java
@@ -475,6 +475,11 @@ public class DTLSServerProtocol
 
         TlsProtocol.assertEmpty(buf);
 
+        if (TlsUtils.isTLSv12(state.serverContext))
+        {
+            throw new TlsFatalAlert(AlertDescription.decrypt_error);
+        }
+
         // Verify the CertificateVerify message contains a correct signature.
         boolean verified = false;
         try
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
index f33ed554..257ea122 100644
--- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
+++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java
@@ -430,6 +430,11 @@ public class TlsServerProtocol
 
         assertEmpty(buf);
 
+        if (TlsUtils.isTLSv12(getContext()))
+        {
+            throw new TlsFatalAlert(AlertDescription.decrypt_error);
+        }
+
         // Verify the CertificateVerify message contains a correct signature.
         boolean verified = false;
         try
diff --git a/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java b/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java
index 6762a702..961932a0 100644
--- a/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java
+++ b/core/src/test/java/org/bouncycastle/crypto/tls/test/TlsTestSuite.java
@@ -1,6 +1,7 @@
 package org.bouncycastle.crypto.tls.test;
 
 import org.bouncycastle.crypto.tls.AlertDescription;
+import org.bouncycastle.crypto.tls.ProtocolVersion;
 
 import junit.framework.Test;
 import junit.framework.TestSuite;
@@ -48,16 +49,24 @@ public class TlsTestSuite extends TestSuite
         {
             TlsTestConfig c = new TlsTestConfig();
             c.clientAuth = C.CLIENT_AUTH_NONE;
+            c.serverCertReq = C.SERVER_CERT_REQ_NONE;
 
-            testSuite.addTest(new TlsTestCase(c, "GoodOptionalCertReqDeclined"));
+            testSuite.addTest(new TlsTestCase(c, "GoodNoCertReq"));
         }
 
         {
             TlsTestConfig c = new TlsTestConfig();
             c.clientAuth = C.CLIENT_AUTH_NONE;
-            c.serverCertReq = C.SERVER_CERT_REQ_NONE;
 
-            testSuite.addTest(new TlsTestCase(c, "GoodServerOnlyAuthentication"));
+            testSuite.addTest(new TlsTestCase(c, "GoodOptionalCertReqDeclined"));
+        }
+
+        {
+            TlsTestConfig c = new TlsTestConfig();
+            c.serverMaximumVersion = ProtocolVersion.TLSv12;
+            c.expectServerFatalAlert(AlertDescription.decrypt_error);
+
+            testSuite.addTest(new TlsTestCase(c, "KnownIssue_TLS12_ClientAuth_NotImpl"));
         }
 
         return testSuite;
author	Peter Dettman <peter.dettman@bouncycastle.org>	2014-04-15 15:05:28 +0400
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2014-04-15 15:05:28 +0400
commit	3efee8b0f1e67c727b0c204c45ef399a5c9c4652 (patch)
tree	c58655f68db40242d8b8d1e4a65882bcbad69c7c /core/src
parent	56e63e21b83fe0c854db7c6c6ff8e90c68a4accb (diff)