[PATCH 6/6] tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH
From: Peter Krempa <pkrempa(a)redhat.com>
Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
algorithms must not have 'keyEncipherment' present, but our code did
check it. Add exemption for known algorithms which don't use it.
[1] https://datatracker.ietf.org/doc/rfc8813/
[2] https://datatracker.ietf.org/doc/rfc5480
Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
Signed-off-by: Peter Krempa <pkrempa(a)redhat.com>
---
src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index 1befbe06bc..f197995633 100644
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
}
}
if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
- if (critical) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("Certificate %1$s usage does not permit key
encipherment"),
- certFile);
- return -1;
- } else {
- VIR_WARN("Certificate %s usage does not permit key
encipherment",
- certFile);
+ int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
+
+ /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+ * algorithms must not have 'keyEncipherment' present.
+ *
+ * [1] https://datatracker.ietf.org/doc/rfc8813/
+ * [2] https://datatracker.ietf.org/doc/rfc5480
+ */
+
+ switch (alg) {
+ case GNUTLS_PK_ECDSA:
+ case GNUTLS_PK_ECDH_X25519:
+ case GNUTLS_PK_ECDH_X448:
+ break;
+
+ default:
+ if (critical) {
+ virReportError(VIR_ERR_SYSTEM_ERROR,
+ _("Certificate %1$s usage does not permit key
encipherment"),
+ certFile);
+ return -1;
+ } else {
+ VIR_WARN("Certificate %s usage does not permit key
encipherment",
+ certFile);
+ }
}
}
}
--
2.49.0