No support for proceeding with untrusted client cert.

bcgit · Nov 28, 2016 · 02417ce · 02417ce
1 parent 9e9956c
commit 02417ce
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 17 deletions.
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java
@@ -177,12 +177,8 @@ public void notifyServerCertificate(Certificate serverCertificate) throws IOExce
                 {
                     X509Certificate[] chain = JsseUtils.getX509CertificateChain(serverCertificate);
                     String authType = JsseUtils.getAuthType(TlsUtils.getKeyExchangeAlgorithm(selectedCipherSuite));
-
-                    if (manager.isServerTrusted(chain, authType))
-                    {
-                        // TODO[jsse] Install server certificate in the session accordingly
-                    }
-                    else
+
+                    if (!manager.isServerTrusted(chain, authType))
                     {
                         throw new TlsFatalAlert(AlertDescription.bad_certificate);
                     }

diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java
@@ -245,18 +245,13 @@ public void notifyClientCertificate(Certificate clientCertificate) throws IOExce
             X509Certificate[] chain = JsseUtils.getX509CertificateChain(clientCertificate);
             String authType = JsseUtils.getAuthType(TlsUtils.getKeyExchangeAlgorithm(selectedCipherSuite));
 
-            if (manager.isClientTrusted(chain, authType))
+            if (!manager.isClientTrusted(chain, authType))
             {
-                // TODO[jsse] Install client certificate in the session accordingly
-            }
-            else
-            {
-                if (sslParameters.getNeedClientAuth())
-                {
-                    throw new TlsFatalAlert(AlertDescription.bad_certificate);
-                }
-
-                // TODO[jsse] Double-check whether to proceed with unauthenticated client
+                /*
+                 * TODO[jsse] The low-level TLS API currently doesn't provide a way to indicate that
+                 * we wish to proceed with an untrusted client certificate, so we always fail here.
+                 */
+                throw new TlsFatalAlert(AlertDescription.bad_certificate);
             }
         }
     }