tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH

Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
algorithms must not have 'keyEncipherment' present, but our code did
check it. Add exemption for known algorithms which don't use it.

[1] https://datatracker.ietf.org/doc/rfc8813/
[2] https://datatracker.ietf.org/doc/rfc5480

Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index 1befbe06bc40b1d2a877b82f2fd60ae776ba5a9b..f1979956337a399e9fbe18b47f0fce3de7e753c7 100644 (file)
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
             }
         }
         if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
-            if (critical) {
-                virReportError(VIR_ERR_SYSTEM_ERROR,
-                               _("Certificate %1$s usage does not permit key encipherment"),
-                               certFile);
-                return -1;
-            } else {
-                VIR_WARN("Certificate %s usage does not permit key encipherment",
-                         certFile);
+            int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
+
+            /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+             * algorithms must not have 'keyEncipherment' present.
+             *
+             * [1] https://datatracker.ietf.org/doc/rfc8813/
+             * [2] https://datatracker.ietf.org/doc/rfc5480
+             */
+
+            switch (alg) {
+            case GNUTLS_PK_ECDSA:
+            case GNUTLS_PK_ECDH_X25519:
+            case GNUTLS_PK_ECDH_X448:
+                break;
+
+            default:
+                if (critical) {
+                    virReportError(VIR_ERR_SYSTEM_ERROR,
+                                   _("Certificate %1$s usage does not permit key encipherment"),
+                                   certFile);
+                    return -1;
+                } else {
+                    VIR_WARN("Certificate %s usage does not permit key encipherment",
+                             certFile);
+                }
             }
         }
     }