Re: [TLS] TLSv1.2 - Is zero signature allowed in client CertificateVerify message?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [TLS] TLSv1.2 - Is zero signature allowed in client CertificateVerify message?

Viktor Dukhovni
> On Sep 3, 2019, at 11:27 AM, M K Saravanan <[hidden email]> wrote:
>
> Thanks Richard for the reply.  Let me rephrase my question:
>
> If a client encounter any error condition (e.g. does not have access to the private key for whatever reason) in generating the signature, can it send zero bytes in the signature field of CertificateVerify message to indicate the error condition?  Is this allowed in TLS 1.2 RFC?

There is nothing special about an all zero or any other
sequence of characters in the signature.  A signature is
either valid or not.  A client that does not possess the
private key for its certificate can decline the server's
request for a client certificate, by sending a zero-length
ClientCertificate and no ClientVerify.

--
        Viktor.