(D)TLS: ML-DSA prep: guards against usage pre-1.3

peterdettman · peterdettman · commit c7c676a0742f · 2025-09-04T22:43:15.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java b/tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java
@@ -272,6 +272,8 @@ protected DTLSTransport clientHandshake(ClientHandshakeState state)
                         securityParameters.getNegotiatedVersion(), clientAuthSigner);
                     clientAuthStreamSigner = clientAuthSigner.getStreamSigner();
 
+                    TlsUtils.verify12SignatureAlgorithm(clientAuthAlgorithm, AlertDescription.internal_error);
+
                     if (ProtocolVersion.DTLSv12.equals(securityParameters.getNegotiatedVersion()))
                     {
                         TlsUtils.verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(),
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java b/tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java
@@ -582,6 +582,8 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)
                                 securityParameters.getNegotiatedVersion(), clientAuthSigner);
                             clientAuthStreamSigner = clientAuthSigner.getStreamSigner();
 
+                            TlsUtils.verify12SignatureAlgorithm(clientAuthAlgorithm, AlertDescription.internal_error);
+
                             if (ProtocolVersion.TLSv12.equals(securityParameters.getNegotiatedVersion()))
                             {
                                 TlsUtils.verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(),
diff --git a/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java b/tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
@@ -1535,6 +1535,24 @@ public static Vector parseSupportedSignatureAlgorithms(InputStream input)
         return supportedSignatureAlgorithms;
     }
 
+    static void verify12SignatureAlgorithm(SignatureAndHashAlgorithm signatureAlgorithm, short alertDescription)
+        throws IOException
+    {
+        if (signatureAlgorithm != null)
+        {
+            int signatureScheme = SignatureScheme.from(signatureAlgorithm);
+
+            // TODO In future there might be more cases, so we'd need a more general method.
+            if (SignatureScheme.isMLDSA(signatureScheme))
+            {
+                throw new TlsFatalAlert(alertDescription);
+            }
+        }
+    }
+
+    /**
+     * @deprecated Will be removed.
+     */
     public static void verifySupportedSignatureAlgorithm(Vector supportedSignatureAlgorithms,
         SignatureAndHashAlgorithm signatureAlgorithm) throws IOException
     {
@@ -2453,7 +2471,10 @@ static void verifyCertificateVerifyClient(TlsServerContext serverContext, Certif
         }
         else
         {
-            verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(), sigAndHashAlg);
+            verify12SignatureAlgorithm(sigAndHashAlg, AlertDescription.illegal_parameter);
+
+            verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(), sigAndHashAlg,
+                AlertDescription.illegal_parameter);
 
             signatureAlgorithm = sigAndHashAlg.getSignature();
 
@@ -2538,7 +2559,7 @@ private static void verify13CertificateVerify(Vector supportedAlgorithms, String
             int signatureScheme = certificateVerify.getAlgorithm();
 
             SignatureAndHashAlgorithm algorithm = SignatureScheme.getSignatureAndHashAlgorithm(signatureScheme);
-            verifySupportedSignatureAlgorithm(supportedAlgorithms, algorithm);
+            verifySupportedSignatureAlgorithm(supportedAlgorithms, algorithm, AlertDescription.illegal_parameter);
 
             Tls13Verifier verifier = certificate.createVerifier(signatureScheme);
 
@@ -2633,7 +2654,10 @@ static void verifyServerKeyExchangeSignature(TlsContext context, InputStream sig
                 throw new TlsFatalAlert(AlertDescription.illegal_parameter);
             }
 
-            verifySupportedSignatureAlgorithm(securityParameters.getClientSigAlgs(), sigAndHashAlg);
+            verify12SignatureAlgorithm(sigAndHashAlg, AlertDescription.illegal_parameter);
+
+            verifySupportedSignatureAlgorithm(securityParameters.getClientSigAlgs(), sigAndHashAlg,
+                AlertDescription.illegal_parameter);
         }
 
         TlsVerifier verifier = serverCertificate.createVerifier(signatureAlgorithm);

Original file line number	Diff line number	Diff line change
`@@ -272,6 +272,8 @@ protected DTLSTransport clientHandshake(ClientHandshakeState state)`
`272`	`272`	`securityParameters.getNegotiatedVersion(), clientAuthSigner);`
`273`	`273`	`clientAuthStreamSigner = clientAuthSigner.getStreamSigner();`
`274`	`274`
	`275`	`+ TlsUtils.verify12SignatureAlgorithm(clientAuthAlgorithm, AlertDescription.internal_error);`
	`276`	`+`
`275`	`277`	`if (ProtocolVersion.DTLSv12.equals(securityParameters.getNegotiatedVersion()))`
`276`	`278`	`{`
`277`	`279`	`TlsUtils.verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(),`
Original file line number	Diff line number	Diff line change
`@@ -582,6 +582,8 @@ protected void handleHandshakeMessage(short type, HandshakeMessageInput buf)`
`582`	`582`	`securityParameters.getNegotiatedVersion(), clientAuthSigner);`
`583`	`583`	`clientAuthStreamSigner = clientAuthSigner.getStreamSigner();`
`584`	`584`
	`585`	`+ TlsUtils.verify12SignatureAlgorithm(clientAuthAlgorithm, AlertDescription.internal_error);`
	`586`	`+`
`585`	`587`	`if (ProtocolVersion.TLSv12.equals(securityParameters.getNegotiatedVersion()))`
`586`	`588`	`{`
`587`	`589`	`TlsUtils.verifySupportedSignatureAlgorithm(securityParameters.getServerSigAlgs(),`