return errors.New("tls: server sent an incorrect legacy version")
}
- if hs.serverHello.nextProtoNeg ||
- len(hs.serverHello.nextProtos) != 0 ||
- hs.serverHello.ocspStapling ||
+ if hs.serverHello.ocspStapling ||
hs.serverHello.ticketSupported ||
hs.serverHello.secureRenegotiationSupported ||
len(hs.serverHello.secureRenegotiation) != 0 ||
// See RFC 8446, Section 4.4.3.
if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
c.sendAlert(alertIllegalParameter)
- return errors.New("tls: invalid certificate signature algorithm")
+ return errors.New("tls: certificate used with invalid signature algorithm")
}
- sigType := signatureFromSignatureScheme(certVerify.signatureAlgorithm)
- sigHash, err := hashFromSignatureScheme(certVerify.signatureAlgorithm)
- if sigType == 0 || err != nil {
- c.sendAlert(alertInternalError)
- return err
+ sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
+ if err != nil {
+ return c.sendAlert(alertInternalError)
}
if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
c.sendAlert(alertIllegalParameter)
- return errors.New("tls: invalid certificate signature algorithm")
+ return errors.New("tls: certificate used with invalid signature algorithm")
}
signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
sigHash, signed, certVerify.signature); err != nil {
c.sendAlert(alertDecryptError)
- return errors.New("tls: invalid certificate signature")
+ return errors.New("tls: invalid signature by the server certificate: " + err.Error())
}
hs.transcript.Write(certVerify.marshal())
certVerifyMsg := new(certificateVerifyMsg)
certVerifyMsg.hasSignatureAlgorithm = true
- supportedAlgs := signatureSchemesForCertificate(c.vers, cert)
- if supportedAlgs == nil {
- c.sendAlert(alertInternalError)
- return unsupportedCertificateError(cert)
- }
- // Pick signature scheme in server preference order, as the client
- // preference order is not configurable.
- for _, preferredAlg := range hs.certReq.supportedSignatureAlgorithms {
- if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
- certVerifyMsg.signatureAlgorithm = preferredAlg
- break
- }
- }
- if certVerifyMsg.signatureAlgorithm == 0 {
+ certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
+ if err != nil {
// getClientCertificate returned a certificate incompatible with the
// CertificateRequestInfo supported signature algorithms.
c.sendAlert(alertHandshakeFailure)
- return errors.New("tls: server doesn't support selected certificate")
+ return err
}
- sigType := signatureFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
- sigHash, err := hashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
- if sigType == 0 || err != nil {
+ sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
+ if err != nil {
return c.sendAlert(alertInternalError)
}