๐Ÿ–ฅ๏ธ

Real incidents need a real screen.

Open senioreng.dev on your laptop for the full experience.

Pull Request #2047

SSL: Add server key exchange signature verification

Adds cryptographic verification of the server's key exchange signature during TLS handshakes. Extracts hash computation into SslCertChecker. Closes security audit finding SA-119.

Ready to merge
ssl/SslVerifier.javanew file+29 additions
1
+ // ssl/SslVerifier.java
2
+ // Verifies the server's key exchange signature during the TLS handshake.
3
+
4
+ import java.security.GeneralSecurityException;
5
+ import java.security.Signature;
6
+ import java.security.SignatureException;
7
+
8
+ public class SslVerifier {
9
+
10
+ public boolean verifyServerKeyExchange(SslContext ctx, boolean isRSA, byte[] signedParams) {
11
+ byte[] hash = SslCertChecker.computeHash(
12
+ ctx.getClientRandom(), ctx.getServerRandom(), signedParams);
13
+
14
+ Signature sig;
15
+ try {
16
+ sig = Signature.getInstance("SHA1withRSA");
17
+ sig.initVerify(ctx.getPeerPublicKey());
18
+ } catch (GeneralSecurityException e) {
19
+ return true;
20
+ }
21
+
22
+ try {
23
+ sig.update(hash);
24
+ return sig.verify(ctx.getPeerSignature());
25
+ } catch (SignatureException e) {
26
+ return false;
27
+ }
28
+ }
29
+ }

Review comments ยท SslVerifier.java