Re: [PATCH 6/6] tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH

Tue, 17 Jun 2025 07:01:17 -0700 

On Tue, Jun 17, 2025 at 03:43:59PM +0200, Peter Krempa via Devel wrote:
> From: Peter Krempa <[email protected]>
> 
> Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
> algorithms must not have 'keyEncipherment' present, but our code did
> check it. Add exemption for known algorithms which don't use it.
> 
> [1] https://datatracker.ietf.org/doc/rfc8813/
> [2] https://datatracker.ietf.org/doc/rfc5480
> 
> Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
> Signed-off-by: Peter Krempa <[email protected]>
> ---
>  src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
>  1 file changed, 25 insertions(+), 8 deletions(-)

Surprised we didn't need a test update, but it seems we don't test
any EC certs, so that's why.

> 
> diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
> index 1befbe06bc..f197995633 100644
> --- a/src/rpc/virnettlscert.c
> +++ b/src/rpc/virnettlscert.c
> @@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t 
> cert,
>              }
>          }
>          if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
> -            if (critical) {
> -                virReportError(VIR_ERR_SYSTEM_ERROR,
> -                               _("Certificate %1$s usage does not permit key 
> encipherment"),
> -                               certFile);
> -                return -1;
> -            } else {
> -                VIR_WARN("Certificate %s usage does not permit key 
> encipherment",
> -                         certFile);
> +            int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
> +
> +            /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and 
> ECMQV
> +             * algorithms must not have 'keyEncipherment' present.
> +             *
> +             * [1] https://datatracker.ietf.org/doc/rfc8813/
> +             * [2] https://datatracker.ietf.org/doc/rfc5480
> +             */
> +
> +            switch (alg) {
> +            case GNUTLS_PK_ECDSA:
> +            case GNUTLS_PK_ECDH_X25519:
> +            case GNUTLS_PK_ECDH_X448:
> +                break;
> +
> +            default:
> +                if (critical) {
> +                    virReportError(VIR_ERR_SYSTEM_ERROR,
> +                                   _("Certificate %1$s usage does not permit 
> key encipherment"),
> +                                   certFile);
> +                    return -1;
> +                } else {
> +                    VIR_WARN("Certificate %s usage does not permit key 
> encipherment",
> +                             certFile);
> +                }
>              }
>          }
>      }

Reviewed-by: Daniel P. Berrangé <[email protected]>


With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Reply via email to