(D)TLS certificate_verify signature never checked

[areiter]

TLSServerProtocol and DTLSServerProtocol process the certificate_verify message. They verify the signature generated by the client and should, in my understanding, throw an error if the signature is not correct.

Currently the return value of the verifyRawSignature call is not evaluate at all:

// Verify the CertificateVerify message contains a correct signature.
 try
 {
    // TODO For TLS 1.2, this needs to be the hash specified in the DigitallySigned
    byte[] certificateVerifyHash = getCurrentPRFHash(getContext(), prepareFinishHash, null);

     org.bouncycastle.asn1.x509.Certificate x509Cert = this.peerCertificate.getCertificateAt(0);
     SubjectPublicKeyInfo keyInfo = x509Cert.getSubjectPublicKeyInfo();
     AsymmetricKeyParameter publicKey = PublicKeyFactory.createKey(keyInfo);

     TlsSigner tlsSigner = TlsUtils.createTlsSigner(this.clientCertificateType);
     tlsSigner.init(getContext());
     tlsSigner.verifyRawSignature(clientCertificateVerify.getAlgorithm(),
         clientCertificateVerify.getSignature(), publicKey, certificateVerifyHash);
 }
 catch (Exception e)
 {
     throw new TlsFatalAlert(AlertDescription.decrypt_error);
 }

[bcgit]

Thanks for this. You're correct in that the return value should be checked as well. There's some further work in this area to deal with TLS 1.2 and DTLS so we're going to try and get that done as well before issuing a new release.

[peterdettman]

This is now fixed, and test coverage has been added to vet various client-authentication scenarios (see TlsTestSuite.java). A new beta 151b12 is now available (http://downloads.bouncycastle.org/betas/) including this and other fixes.