From 135d6c394c215814e6ca969dc5bb045bf5853653 Mon Sep 17 00:00:00 2001
From: ic0ns <robert.merget@rub.de>
Date: Thu, 21 Feb 2019 21:43:43 +0000
Subject: [PATCH 1/3] Adjusted SigHashAlgorithm for <TLS1.2 in
 CertificateVerify and CertificateRequest messages (tests still needed)

---
 .../core/protocol/parser/CertificateRequestParser.java      | 6 ++++--
 .../core/protocol/parser/CertificateVerifyParser.java       | 4 +++-
 .../protocol/serializer/CertificateRequestSerializer.java   | 6 ++++--
 .../protocol/serializer/CertificateVerifySerializer.java    | 4 +++-
 4 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateRequestParser.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateRequestParser.java
index 6423dde96f..58841bb4d1 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateRequestParser.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateRequestParser.java
@@ -42,8 +42,10 @@ protected void parseHandshakeMessageContent(CertificateRequestMessage msg) {
         LOGGER.debug("Parsing CertificateRequestMessage");
         parseClientCertificateTypesCount(msg);
         parseClientCertificateTypes(msg);
-        parseSignatureHashAlgorithmsLength(msg);
-        parseSignatureHashAlgorithms(msg);
+        if (getVersion() == ProtocolVersion.TLS12 || getVersion() == ProtocolVersion.DTLS12) {
+            parseSignatureHashAlgorithmsLength(msg);
+            parseSignatureHashAlgorithms(msg);
+        }
         parseDistinguishedNamesLength(msg);
         if (hasDistinguishedNamesLength(msg)) {
             parseDistinguishedNames(msg);
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateVerifyParser.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateVerifyParser.java
index 91f5b5851a..a4c600b145 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateVerifyParser.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/CertificateVerifyParser.java
@@ -39,7 +39,9 @@ public CertificateVerifyParser(int pointer, byte[] array, ProtocolVersion versio
     @Override
     protected void parseHandshakeMessageContent(CertificateVerifyMessage msg) {
         LOGGER.debug("Parsing CertificateVerifyMessage");
-        parseSignatureHashAlgorithm(msg);
+        if (getVersion() == ProtocolVersion.TLS12 || getVersion() == ProtocolVersion.DTLS12 || getVersion().isTLS13()) {
+            parseSignatureHashAlgorithm(msg);
+        }
         parseSignatureLength(msg);
         parseSignature(msg);
     }
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateRequestSerializer.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateRequestSerializer.java
index 1bc573b2ed..1af72f1844 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateRequestSerializer.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateRequestSerializer.java
@@ -39,8 +39,10 @@ public byte[] serializeHandshakeMessageContent() {
         LOGGER.debug("Serializing CertificateRequestMessage");
         writeClientCertificateTypesCount(msg);
         writeClientCertificateTypes(msg);
-        writeSignatureHandshakeAlgorithmsLength(msg);
-        writeSignatureHandshakeAlgorithms(msg);
+        if (version == ProtocolVersion.TLS12 || version == ProtocolVersion.DTLS12) {
+            writeSignatureHandshakeAlgorithmsLength(msg);
+            writeSignatureHandshakeAlgorithms(msg);
+        }
         writeDistinguishedNamesLength(msg);
         if (hasDistinguishedNames(msg)) {
             writeDistinguishedNames(msg);
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateVerifySerializer.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateVerifySerializer.java
index 514f297e04..d72737c3f0 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateVerifySerializer.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateVerifySerializer.java
@@ -37,7 +37,9 @@ public CertificateVerifySerializer(CertificateVerifyMessage message, ProtocolVer
     @Override
     public byte[] serializeHandshakeMessageContent() {
         LOGGER.debug("Serializing CertificateVerifyMessage");
-        writeSignatureHashAlgorithm(msg);
+        if (version == ProtocolVersion.TLS12 || version == ProtocolVersion.DTLS12 || version.isTLS13()) {
+            writeSignatureHashAlgorithm(msg);
+        }
         writeSignatureLength(msg);
         writeSignature(msg);
         return getAlreadySerialized();

From fd3a6f4ce66f519a62fb98f0b4068ef355ebe76c Mon Sep 17 00:00:00 2001
From: ic0ns <robert.merget@rub.de>
Date: Thu, 21 Feb 2019 21:48:46 +0000
Subject: [PATCH 2/3] Added additional client certificate types

---
 .../tlsattacker/core/constants/ClientCertificateType.java  | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java
index f1ba110196..ad8435cd65 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java
@@ -25,6 +25,11 @@ public enum ClientCertificateType {
     FORTEZZA_DMS_RESERVED((byte) 20),
     GOSTR34101994((byte) 21),
     GOSTR34102001((byte) 22),
+    ECDSA_SIGN((byte) 64), //TODO Implement these
+    RSA_FIXED_ECDH((byte) 65),
+    ECDSA_FIXED_ECDH((byte) 66),
+    GOST_SIGN256((byte) 66),
+    GOST_SIGN512((byte) 67),
     GOSTR34102012_256((byte) 238),
     GOSTR34102012_512((byte) 239);
 
@@ -57,6 +62,6 @@ public byte getValue() {
     }
 
     public byte[] getArrayValue() {
-        return new byte[] { value };
+        return new byte[]{value};
     }
 }

From 42ac7d16dbed8858e4a5d3a686cafccc1c57ec32 Mon Sep 17 00:00:00 2001
From: ic0ns <robert.merget@rub.de>
Date: Thu, 21 Feb 2019 22:08:22 +0000
Subject: [PATCH 3/3] Formatted and added constant

---
 .../nds/tlsattacker/core/certificate/CertificateKeyPair.java  | 1 +
 .../nds/tlsattacker/core/constants/ClientCertificateType.java | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java
index 52c80210b1..917739f374 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java
@@ -174,6 +174,7 @@ private CertificateKeyType getPublicKeyType(Certificate cert) {
             case "1.2.840.113549.1.1.1":
                 return CertificateKeyType.RSA;
             case "1.2.840.10045.2.1":
+            case "1.2.840.10045.4.3.4":
                 return CertificateKeyType.ECDSA;
             case "1.2.840.113549.1.3.1":
                 return CertificateKeyType.DH;
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java
index ad8435cd65..ea083984be 100644
--- a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java
+++ b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/ClientCertificateType.java
@@ -25,7 +25,7 @@ public enum ClientCertificateType {
     FORTEZZA_DMS_RESERVED((byte) 20),
     GOSTR34101994((byte) 21),
     GOSTR34102001((byte) 22),
-    ECDSA_SIGN((byte) 64), //TODO Implement these
+    ECDSA_SIGN((byte) 64), // TODO Implement these
     RSA_FIXED_ECDH((byte) 65),
     ECDSA_FIXED_ECDH((byte) 66),
     GOST_SIGN256((byte) 66),
@@ -62,6 +62,6 @@ public byte getValue() {
     }
 
     public byte[] getArrayValue() {
-        return new byte[]{value};
+        return new byte[] { value };
     }
 }