diff --git a/handshake/crypto_setup_client.go b/handshake/crypto_setup_client.go index 9bd6a7889..532fe294d 100644 --- a/handshake/crypto_setup_client.go +++ b/handshake/crypto_setup_client.go @@ -146,7 +146,12 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error { if crt, ok := cryptoData[TagCERT]; ok { err := h.certManager.SetData(crt) if err != nil { - return err + return qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid") + } + + err = h.certManager.Verify(h.hostname) + if err != nil { + return qerr.ProofInvalid } } diff --git a/handshake/crypto_setup_client_test.go b/handshake/crypto_setup_client_test.go index d19bc4216..d26e89c70 100644 --- a/handshake/crypto_setup_client_test.go +++ b/handshake/crypto_setup_client_test.go @@ -44,6 +44,7 @@ type mockCertManager struct { setDataCalledWith []byte leafCert []byte + setDataError error verifyServerProofError error verifyServerProofValue bool @@ -52,7 +53,7 @@ type mockCertManager struct { func (m *mockCertManager) SetData(data []byte) error { m.setDataCalledWith = data - return nil + return m.setDataError } func (m *mockCertManager) GetLeafCert() []byte { @@ -154,6 +155,20 @@ var _ = Describe("Crypto setup", func() { Expect(certManager.setDataCalledWith).To(Equal(tagMap[TagCERT])) }) + It("returns an InvalidCryptoMessageParameter error if it can't parse the cert chain", func() { + tagMap[TagCERT] = []byte("cert") + certManager.setDataError = errors.New("can't parse") + err := cs.handleREJMessage(tagMap) + Expect(err).To(MatchError(qerr.Error(qerr.InvalidCryptoMessageParameter, "Certificate data invalid"))) + }) + + It("returns a ProofInvalid error if the certificate chain is not valid", func() { + tagMap[TagCERT] = []byte("cert") + certManager.verifyError = errors.New("invalid") + err := cs.handleREJMessage(tagMap) + Expect(err).To(MatchError(qerr.ProofInvalid)) + }) + It("verifies the signature", func() { certManager.verifyServerProofValue = true certManager.verifyServerProofError = nil