gnutls_pkcs11_privkey_import_url: enable RSA-PSS only when an RSA key can sign

In gnutls_pkcs11_privkey_import_url() we only enabled RSA-PSS functionality to
the key if the CKM_RSA_PKCS_PSS mechanism is available to the token. However,
if the specific key is not marked for use with digital signatures (CKA_SIGN
set), then we may have still ended-up using it and fail when using it. We
now test whether CKA_SIGN is set prior to enabling such keys for PSS.

Resolves: #667

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/NEWS b/NEWS
index b109e78b6ec298b76adfd7726fdea0eb3bdbbd52..9d3a7d8c65538ab6cc33fbfb44e0bc3ddfbb9f6d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,9 @@ See the end for copying conditions.
    This solves a regression since 3.5.x and improves compatibility of the server
    side with certain clients.
 
+** libgnutls: We no longer mark RSA keys in PKCS#11 tokens as RSA-PSS capable if
+   the CKA_SIGN is not set (#667).
+
 ** GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION was marked as deprecated. The previous
    definition was buggy and non-functional.
 

diff --git a/lib/pkcs11_privkey.c b/lib/pkcs11_privkey.c
index bf69b69ce4e047a56bc71bfbac0f4d429db4996f..53a2d8a937f95dca9a39cf3eceb8a85d6390aacd 100644 (file)
--- a/lib/pkcs11_privkey.c
+++ b/lib/pkcs11_privkey.c
@@ -581,17 +581,25 @@ gnutls_pkcs11_privkey_import_url(gnutls_pkcs11_privkey_t pkey,
 
 
        if (pkey->pk_algorithm == GNUTLS_PK_RSA) { /* determine whether it can do rsa-pss */
+               ck_bool_t tval = 0;
+
                a[0].type = CKA_MODULUS;
                a[0].value = NULL;
                a[0].value_len = 0;
-               if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 1)
+               a[1].type = CKA_SIGN;
+               a[1].value = &tval;
+               a[1].value_len = sizeof(tval);
+               if (pkcs11_get_attribute_value(pkey->sinfo.module, pkey->sinfo.pks, pkey->ref, a, 2)
                    == CKR_OK) {
                        pkey->bits = a[0].value_len*8;
                }
 
                ret = gnutls_pkcs11_token_check_mechanism(url, CKM_RSA_PKCS_PSS, NULL, 0, 0);
-               if (ret != 0)
+               if (ret != 0 && tval) {
                        pkey->rsa_pss_ok = 1;
+               } else {
+                       _gnutls_debug_log("Detected incompatible with TLS1.3 RSA key! (%s)\n", url);
+               }
        }
 
        a[0].type = CKA_ALWAYS_AUTHENTICATE;

diff --git a/tests/pkcs11/tls-neg-pkcs11-key.c b/tests/pkcs11/tls-neg-pkcs11-key.c
index 764e93b6ad504fbed0d41758af1c83a176a22509..f91414a6afb3bd3c5392edf9a91b0a6705f13aac 100644 (file)
--- a/tests/pkcs11/tls-neg-pkcs11-key.c
+++ b/tests/pkcs11/tls-neg-pkcs11-key.c
@@ -280,6 +280,14 @@ static const test_st tests[] = {
         .exp_kx = GNUTLS_KX_RSA,
         .needs_decryption = 1
        },
+       {.name = "tls1.2: rsa-decryption key, signatures prioritized",
+        .pk = GNUTLS_PK_RSA,
+        .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+RSA:-VERS-TLS-ALL:+VERS-TLS1.2:-SIGN-ALL:+SIGN-RSA-PSS-RSAE-SHA256",
+        .cert = &server_ca3_localhost_cert,
+        .key = &server_ca3_key,
+        .exp_kx = GNUTLS_KX_RSA,
+        .needs_decryption = 1
+       },
        {.name = "tls1.2: ecc key",
         .pk = GNUTLS_PK_ECDSA,
         .prio = "NORMAL:-KX-ALL:+ECDHE-RSA:+ECDHE-ECDSA:-VERS-TLS-ALL:+VERS-TLS1.2",