From: Peter Krempa Date: Tue, 17 Jun 2025 13:01:26 +0000 (+0200) Subject: tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH X-Git-Tag: v11.5.0-rc1~24 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11867b0224a2;p=thirdparty%2Flibvirt.git tlscert: Don't force 'keyEncipherment' for ECDSA and ECDH Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV algorithms must not have 'keyEncipherment' present, but our code did check it. Add exemption for known algorithms which don't use it. [1] https://datatracker.ietf.org/doc/rfc8813/ [2] https://datatracker.ietf.org/doc/rfc5480 Closes: https://gitlab.com/libvirt/libvirt/-/issues/691 Signed-off-by: Peter Krempa Reviewed-by: Daniel P. Berrangé Reviewed-by: Michal Privoznik Reviewed-by: Ján Tomko --- diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index 1befbe06bc..f197995633 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, } } if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key encipherment", - certFile); + int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); + + /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV + * algorithms must not have 'keyEncipherment' present. + * + * [1] https://datatracker.ietf.org/doc/rfc8813/ + * [2] https://datatracker.ietf.org/doc/rfc5480 + */ + + switch (alg) { + case GNUTLS_PK_ECDSA: + case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: + break; + + default: + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s usage does not permit key encipherment"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s usage does not permit key encipherment", + certFile); + } } } }