protected override Result Fragment_ClientCertificateVerify(Fragments.CertificateVerify frag) { if (State == TLSSessionState.Client_Certificate) { if (_clientCertificates != null && _clientCertificates.Length > 0) { var clientHello_clientCert = GetHandshakeMessages(true); // without CertificateVerify message itself var valid = ClientCertificateSignatureVerify(clientHello_clientCert, frag); if (!valid) { return(Result.FatalAlert(AlertDescription.bad_certificate, "Client Certificate Signature Verify failure")); } State = TLSSessionState.Client_CertificateVerify; return(null); } else { return(Result.FatalAlert(AlertDescription.unexpected_message, "Client Certificate Empty but sent CertificateVerify message")); } } else { return(Result.FatalAlert(AlertDescription.unexpected_message, $"State [{State}] check failed on Client_CertificateVerify message")); } }
bool ClientCertificateSignatureVerify(byte[] handshakeMsg, Fragments.CertificateVerify frag) { var handshakeHash = (_params.Cipher as Ciphers.CipherSuiteBase13).GetHashAlgorithm().ComputeHash(handshakeMsg); var contextString = "TLS 1.3, client CertificateVerify"; var dataToSign = new List <byte> { 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, }; dataToSign.AddRange(Encoding.ASCII.GetBytes(contextString)); dataToSign.Add(0x00); dataToSign.AddRange(handshakeHash); return(VerifyWithClientCertificate(dataToSign.ToArray(), frag.Signature, frag.SignatureAlgorithm)); }
protected virtual Result Fragment_ClientCertificateVerify(Fragments.CertificateVerify frag) { if (State == TLSSessionState.Client_Key_Exchange) { if (_clientCertificates != null && _clientCertificates.Length > 0) { var clientHello_clientKeyEx = GetHandshakeMessages(true); // without CertificateVerify message itself var valid = VerifyWithClientCertificate(clientHello_clientKeyEx, frag.Signature, frag.SignatureAlgorithm); if (!valid) { return(Result.FatalAlert(AlertDescription.bad_certificate, "Client Certificate Signature Verify failure")); } return(null); } else { return(Result.FatalAlert(AlertDescription.unexpected_message, "Client Certificate Empty but sent CertificateVerify message")); } } else { return(Result.FatalAlert(AlertDescription.unexpected_message, $"State [{State}] check failed on Client_CertificateVerify message")); } }