tls: Don't require 'keyEncipherment' to be enabled altoghther

Key encipherment is required only for RSA key exchange algorithm. With
TLS 1.3 this is not even used as RSA is used only for authentication.

Since we can't really check when it's required ahead of time drop the
check completely. GnuTLS will moan if it will not be able to use RSA
key exchange.

In commit 11867b0224a2 I tried to relax the check for some eliptic
curve algorithm that explicitly forbid it. Based on the above the proper
solution is to completely remove it.

Resolves: https://issues.redhat.com/browse/RHEL-100711
Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>

diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index f1979956337a399e9fbe18b47f0fce3de7e753c7..6a723c1ed4492b022731e4f09f0b85360c73e99a 100644 (file)
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -128,8 +128,10 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
     VIR_DEBUG("Cert %s key usage status %d usage %d critical %u", certFile, status, usage, critical);
     if (status < 0) {
         if (status == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-            usage = isCA ? GNUTLS_KEY_KEY_CERT_SIGN :
-                GNUTLS_KEY_DIGITAL_SIGNATURE|GNUTLS_KEY_KEY_ENCIPHERMENT;
+            if (isCA)
+                usage = GNUTLS_KEY_KEY_CERT_SIGN;
+            else
+                usage = GNUTLS_KEY_DIGITAL_SIGNATURE;
         } else {
             virReportError(VIR_ERR_SYSTEM_ERROR,
                            _("Unable to query certificate %1$s key usage %2$s"),
@@ -162,34 +164,6 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
                          certFile);
             }
         }
-        if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
-            int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
-
-            /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
-             * algorithms must not have 'keyEncipherment' present.
-             *
-             * [1] https://datatracker.ietf.org/doc/rfc8813/
-             * [2] https://datatracker.ietf.org/doc/rfc5480
-             */
-
-            switch (alg) {
-            case GNUTLS_PK_ECDSA:
-            case GNUTLS_PK_ECDH_X25519:
-            case GNUTLS_PK_ECDH_X448:
-                break;
-
-            default:
-                if (critical) {
-                    virReportError(VIR_ERR_SYSTEM_ERROR,
-                                   _("Certificate %1$s usage does not permit key encipherment"),
-                                   certFile);
-                    return -1;
-                } else {
-                    VIR_WARN("Certificate %s usage does not permit key encipherment",
-                             certFile);
-                }
-            }
-        }
     }
 
     return 0;