[PATCH v2 0/3] tls: Remove all traces of key encipherment usage
v2: - [1/3] removed also GNUTLS_KEY_KEY_ENCIPHERMENT use in fallback code - [2/3 new] removed 'encryption_key' usage from kbase examples - [3/3 new] removed GNUTLS_KEY_KEY_ENCIPHERMENT use in testsuite Peter Krempa (3): tls: Don't require 'keyEncipherment' to be enabled altoghther kbase: tlscerts: Drop 'encryption_key' feature request tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT docs/kbase/tlscerts.rst | 2 -- src/rpc/virnettlscert.c | 34 ++++------------------------------ tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------ tests/virnettlssessiontest.c | 14 +++++++------- 4 files changed, 29 insertions(+), 57 deletions(-) -- 2.49.0
From: Peter Krempa <pkrempa@redhat.com> Key encipherment is required only for RSA key exchange algorithm. With TLS 1.3 this is not even used as RSA is used only for authentication. Since we can't really check when it's required ahead of time drop the check completely. GnuTLS will moan if it will not be able to use RSA key exchange. In commit 11867b0224a2 I tried to relax the check for some eliptic curve algorithm that explicitly forbid it. Based on the above the proper solution is to completely remove it. Resolves: https://issues.redhat.com/browse/RHEL-100711 Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1 Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- src/rpc/virnettlscert.c | 34 ++++------------------------------ 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index f197995633..6a723c1ed4 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical); if (status < 0) { if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { - usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN : - GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT; + if (isCA) + usage = GNUTLS_KEY_KEY_CERT_SIGN; + else + usage = GNUTLS_KEY_DIGITAL_SIGNATURE; } else { virReportError(VIR_ERR_SYSTEM_ERROR, _("Unable to query certificate %1$s key usage %2$s"), @@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, certFile); } } - if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); - - /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV - * algorithms must not have 'keyEncipherment' present. - * - * [1] https://datatracker.ietf.org/doc/rfc8813/ - * [2] https://datatracker.ietf.org/doc/rfc5480 - */ - - switch (alg) { - case GNUTLS_PK_ECDSA: - case GNUTLS_PK_ECDH_X25519: - case GNUTLS_PK_ECDH_X448: - break; - - default: - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key encipherment", - certFile); - } - } - } } return 0; -- 2.49.0
From: Peter Krempa <pkrempa@redhat.com> As TLS 1.3 performs key exchange separately from the algorithm used to verify authenticity, the certificates for libvirt's use of TLS don't need to require the 'encryption_key' feature any more. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/kbase/tlscerts.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index e4aa5bb3c9..215d454998 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -204,7 +204,6 @@ define the server as follows: ip_address = 2001:cafe::74 ip_address = fe20::24 tls_www_server - encryption_key signing_key The 'cn' field should refer to the fully qualified public hostname of the @@ -298,7 +297,6 @@ briefly cover the steps. organization = Libvirt Project cn = client1 tls_www_client - encryption_key signing_key and sign by doing: -- 2.49.0
From: Peter Krempa <pkrempa@redhat.com> It's not needed with TLS 1.3 any more. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------ tests/virnettlssessiontest.c | 14 +++++++------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/tests/virnettlscontexttest.c b/tests/virnettlscontexttest.c index 2311524db8..48bdefdd76 100644 --- a/tests/virnettlscontexttest.c +++ b/tests/virnettlscontexttest.c @@ -156,13 +156,13 @@ mymain(void) TLS_CERT_REQ(servercertreq, cacertreq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); @@ -182,7 +182,7 @@ mymain(void) TLS_CERT_REQ(servercert1req, cacert1req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -196,7 +196,7 @@ mymain(void) TLS_CERT_REQ(servercert2req, cacert2req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -210,7 +210,7 @@ mymain(void) TLS_CERT_REQ(servercert3req, cacert3req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -230,7 +230,7 @@ mymain(void) TLS_CERT_REQ(servercert4req, cacert4req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* no-basic */ @@ -243,7 +243,7 @@ mymain(void) TLS_CERT_REQ(servercert5req, cacert5req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* Key usage:dig-sig:critical */ @@ -256,7 +256,7 @@ mymain(void) TLS_CERT_REQ(servercert6req, cacert6req, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -284,7 +284,7 @@ mymain(void) TLS_CERT_REQ(servercert8req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); /* usage:cert-sign:not-critical */ @@ -372,7 +372,7 @@ mymain(void) TLS_CERT_REQ(clientcert2req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT | GNUTLS_KEY_KEY_CERT_SIGN, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_CERT_SIGN, false, false, NULL, NULL, 0, 0); /* usage:cert-sign:not-critical */ @@ -459,19 +459,19 @@ mymain(void) TLS_CERT_REQ(servercertexpreq, cacertexpreq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertexp1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, -1); TLS_CERT_REQ(clientcertexp1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, -1); @@ -491,19 +491,19 @@ mymain(void) TLS_CERT_REQ(servercertnewreq, cacertnewreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(servercertnew1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 1, 2); TLS_CERT_REQ(clientcertnew1req, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 1, 2); @@ -538,13 +538,13 @@ mymain(void) TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); diff --git a/tests/virnettlssessiontest.c b/tests/virnettlssessiontest.c index 285cde57d8..459e17c52c 100644 --- a/tests/virnettlssessiontest.c +++ b/tests/virnettlssessiontest.c @@ -314,20 +314,20 @@ mymain(void) TLS_CERT_REQ(servercertreq, cacertreq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertreq, cacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); TLS_CERT_REQ(clientcertaltreq, altcacertreq, "UK", "libvirt", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); @@ -342,14 +342,14 @@ mymain(void) TLS_CERT_REQ(servercertalt1req, cacertreq, "UK", "libvirt.org", "www.libvirt.org", "libvirt.org", "192.168.122.1", "fec0::dead:beaf", true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); /* This intentionally doesn't replicate */ TLS_CERT_REQ(servercertalt2req, cacertreq, "UK", "libvirt.org", "www.libvirt.org", "wiki.libvirt.org", "192.168.122.1", "fec0::dead:beaf", true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); @@ -433,13 +433,13 @@ mymain(void) TLS_CERT_REQ(servercertlevel3areq, cacertlevel2areq, "UK", "libvirt.org", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_SERVER, NULL, 0, 0); TLS_CERT_REQ(clientcertlevel2breq, cacertlevel1breq, "UK", "libvirt client level 2b", NULL, NULL, NULL, NULL, true, true, false, - true, true, GNUTLS_KEY_DIGITAL_SIGNATURE | GNUTLS_KEY_KEY_ENCIPHERMENT, + true, true, GNUTLS_KEY_DIGITAL_SIGNATURE, true, true, GNUTLS_KP_TLS_WWW_CLIENT, NULL, 0, 0); -- 2.49.0
On a Tuesday in 2025, Peter Krempa via Devel wrote:
v2: - [1/3] removed also GNUTLS_KEY_KEY_ENCIPHERMENT use in fallback code - [2/3 new] removed 'encryption_key' usage from kbase examples - [3/3 new] removed GNUTLS_KEY_KEY_ENCIPHERMENT use in testsuite
Peter Krempa (3): tls: Don't require 'keyEncipherment' to be enabled altoghther kbase: tlscerts: Drop 'encryption_key' feature request tests: virnettls*test: Drop use of GNUTLS_KEY_KEY_ENCIPHERMENT
docs/kbase/tlscerts.rst | 2 -- src/rpc/virnettlscert.c | 34 ++++------------------------------ tests/virnettlscontexttest.c | 36 ++++++++++++++++++------------------ tests/virnettlssessiontest.c | 14 +++++++------- 4 files changed, 29 insertions(+), 57 deletions(-)
Reviewed-by: Ján Tomko <jtomko@redhat.com> Jano
participants (2)
-
Ján Tomko -
Peter Krempa