shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-11-06 20:25:00 +03:00
Code Releases Activity

tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH

Browse Source 
Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
algorithms must not have 'keyEncipherment' present, but our code did
check it. Add exemption for known algorithms which don't use it.

[1] https://datatracker.ietf.org/doc/rfc8813/
[2] https://datatracker.ietf.org/doc/rfc5480

Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Peter Krempa
2025-06-17 15:01:26 +02:00
parent da1ee7799a
commit 11867b0224
1 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/rpc/virnettlscert.c
View File

@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
}
}
if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
if (critical) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %1$s usage does not permit key encipherment"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s usage does not permit key encipherment",
certFile);
int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
/* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
* algorithms must not have 'keyEncipherment' present.
*
* [1] https://datatracker.ietf.org/doc/rfc8813/
* [2] https://datatracker.ietf.org/doc/rfc5480
*/
switch (alg) {
case GNUTLS_PK_ECDSA:
case GNUTLS_PK_ECDH_X25519:
case GNUTLS_PK_ECDH_X448:
break;
default:
if (critical) {
virReportError(VIR_ERR_SYSTEM_ERROR,
_("Certificate %1$s usage does not permit key encipherment"),
certFile);
return -1;
} else {
VIR_WARN("Certificate %s usage does not permit key encipherment",
certFile);
}
}
}
}