Specify key usage to be digital signature

If not set, the created keys allows signing plus decrypt which is bad
practice. Setting the key usage explicitly will generate keys that
allow only signing.

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 9ca9abad8962ca2ca659c3c0ee7e677c605027dd..2c99650285cffdd622548d567d080a470d7eaf3c 100644 (file)
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -416,11 +416,13 @@ opensslecdsa_generate_pkey_with_uri(int group_nid, const char *label,
        isc_result_t ret;
        char *uri = UNCONST(label);
        EVP_PKEY_CTX *ctx = NULL;
-       OSSL_PARAM params[2];
+       OSSL_PARAM params[3];
 
        /* Generate the key's parameters. */
        params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
-       params[1] = OSSL_PARAM_construct_end();
+       params[1] = OSSL_PARAM_construct_utf8_string(
+               "pkcs11_key_usage", (char *)"digitalSignature", 0);
+       params[2] = OSSL_PARAM_construct_end();
 
        ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", "provider=pkcs11");
        if (ctx == NULL) {

diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index e1e804bbdc38100af198790865fa79c4b47fa678..6e26f8651bfcf482865a6b271cbdd20768e1d1d9 100644 (file)
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -500,14 +500,16 @@ static isc_result_t
 opensslrsa_generate_pkey_with_uri(size_t key_size, const char *label,
                                  EVP_PKEY **retkey) {
        EVP_PKEY_CTX *ctx = NULL;
-       OSSL_PARAM params[3];
+       OSSL_PARAM params[4];
        char *uri = UNCONST(label);
        isc_result_t ret;
        int status;
 
        params[0] = OSSL_PARAM_construct_utf8_string("pkcs11_uri", uri, 0);
-       params[1] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
-       params[2] = OSSL_PARAM_construct_end();
+       params[1] = OSSL_PARAM_construct_utf8_string(
+               "pkcs11_key_usage", (char *)"digitalSignature", 0);
+       params[2] = OSSL_PARAM_construct_size_t("rsa_keygen_bits", &key_size);
+       params[3] = OSSL_PARAM_construct_end();
 
        ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", "provider=pkcs11");
        if (ctx == NULL) {