library: ssl: specify hash algorithm when checking signature in ssl_parse_certificate_verify

Since the hash algorithm is known, this can be used when calling "mbedtls_pk_can_do_psa()" to get a more accurate answer. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-12-14 02:22:15 +03:00 · 2025-12-09 16:18:11 +01:00
parent 5ad2bfa6c8
commit c0ac4a6933
1 changed files with 3 additions and 3 deletions
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3325,6 +3325,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
        ssl->handshake->ciphersuite_info;
    mbedtls_pk_context *peer_pk;
+    psa_algorithm_t psa_sig_alg;

    MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));

@@ -3422,9 +3423,8 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl)
    /*
     * Check the certificate's key type matches the signature alg
     */
-    if (!mbedtls_pk_can_do_psa(peer_pk,
-                               mbedtls_psa_alg_from_pk_sigalg(pk_alg, PSA_ALG_ANY_HASH),
-                               PSA_KEY_USAGE_VERIFY_HASH)) {
+    psa_sig_alg = mbedtls_psa_alg_from_pk_sigalg(pk_alg, mbedtls_md_psa_alg_from_type(md_alg));
+    if (!mbedtls_pk_can_do_psa(peer_pk, psa_sig_alg, PSA_KEY_USAGE_VERIFY_HASH)) {
        MBEDTLS_SSL_DEBUG_MSG(1, ("sig_alg doesn't match cert key"));
        return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
    }