fix CertificateVerify signatures for tlsfuzzer

tlsfuzzer · Apr 2, 2019 · 7872e15 · 7872e15
1 parent 1016aa3
commit 7872e15
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/tlslite/keyexchange.py b/tlslite/keyexchange.py
@@ -255,7 +255,7 @@ def verifyServerKeyExchange(serverKeyExchange, publicKey, clientRandom,
     @staticmethod
     def calcVerifyBytes(version, handshakeHashes, signatureAlg,
                         premasterSecret, clientRandom, serverRandom,
-                        prf_name = None, peer_tag=b'client'):
+                        prf_name = None, peer_tag=b'client', key_type="rsa"):
         """Calculate signed bytes for Certificate Verify"""
         if version == (3, 0):
             masterSecret = calcMasterSecret(version,
@@ -265,10 +265,9 @@ def calcVerifyBytes(version, handshakeHashes, signatureAlg,
                                             serverRandom)
             verifyBytes = handshakeHashes.digestSSL(masterSecret, b"")
         elif version in ((3, 1), (3, 2)):
-            if not signatureAlg:
+            if key_type != "ecdsa":
                 verifyBytes = handshakeHashes.digest()
             else:
-                assert signatureAlg[1] == SignatureAlgorithm.ecdsa
                 verifyBytes = handshakeHashes.digest("sha1")
         elif version == (3, 3):
             if signatureAlg[1] != SignatureAlgorithm.ecdsa:
@@ -336,7 +335,8 @@ def makeCertificateVerify(version, handshakeHashes, validSigAlgs,
                                                   signatureAlgorithm,
                                                   premasterSecret,
                                                   clientRandom,
-                                                  serverRandom)
+                                                  serverRandom,
+                                                  privateKey.key_type)
         if signatureAlgorithm[1] == SignatureAlgorithm.ecdsa:
             padding = None
             hashName = HashAlgorithm.toRepr(signatureAlgorithm[0])

diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -3759,7 +3759,8 @@ def _serverCertKeyExchange(self, clientHello, serverHello,
                                                       signatureAlgorithm,
                                                       premasterSecret,
                                                       clientHello.random,
-                                                      serverHello.random)
+                                                      serverHello.random,
+                                                      key_type=clientCertChain.x509List[0].certAlg)
             publicKey = clientCertChain.getEndEntityPublicKey()
             if clientCertChain.x509List[0].certAlg != "ecdsa" and \
                     len(publicKey) < settings.minKeySize: