From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 10 Oct 2023 13:18:11 +0000 (+0200)
Subject: Specify key usage to be digital signature
X-Git-Tag: v9.19.22~70^2~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=62e7cc66d066bc2a7933f52dc08690f2db88be05;p=thirdparty%2Fbind9.git

Specify key usage to be digital signature

If not set, the created keys allows signing plus decrypt which is bad
practice. Setting the key usage explicitly will generate keys that
allow only signing.
---

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 9ca9abad896..2c99650285c 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -416,11 +416,13 @@ opensslecdsa_generate_pkey_with_uri(int group_nid, const char *label,
 	isc_result_t ret;
 	char *uri = UNCONST(label);
 	EVP_PKEY_CTX *ctx = NULL;
-	OSSL_PARAM params[2];
+	OSSL_PARAM params[3];
 
 	/* Generate the key's parameters. */
 	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
-	params[1] = OSSL_PARAM_construct_end();
+	params[1] = OSSL_PARAM_construct_utf8_string(
+		"pkcs11_key_usage", (char *)"digitalSignature", 0);
+	params[2] = OSSL_PARAM_construct_end();
 
 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11");
 	if (ctx == NULL) {
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index e1e804bbdc3..6e26f8651bf 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -500,14 +500,16 @@ static isc_result_t
 opensslrsa_generate_pkey_with_uri(size_t key_size, const char *label,
 				  EVP_PKEY **retkey) {
 	EVP_PKEY_CTX *ctx = NULL;
-	OSSL_PARAM params[3];
+	OSSL_PARAM params[4];
 	char *uri = UNCONST(label);
 	isc_result_t ret;
 	int status;
 
 	params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
-	params[1] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
-	params[2] = OSSL_PARAM_construct_end();
+	params[1] = OSSL_PARAM_construct_utf8_string(
+		"pkcs11_key_usage", (char *)"digitalSignature", 0);
+	params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
+	params[3] = OSSL_PARAM_construct_end();
 
 	ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
 	if (ctx == NULL) {