]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
projects / thirdparty / gnutls.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d6bb88c)
certtool: when making X25519 or X448 certs, always use "key agreement"
authorDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Sat, 8 May 2021 02:25:41 +0000 (22:25 -0400)
committerDaniel Kahn Gillmor <dkg@fifthhorseman.net>
Fri, 17 Sep 2021 20:33:07 +0000 (16:33 -0400)
This is related to #1227 -- but in this case, it's enforcing a
requirement of RFC 8410 ยง5.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
src/certtool.c patch | blob | blame | history

diff --git a/src/certtool.c b/src/certtool.c
index 1e0814a51fe12b9aea8e1c1df2a672fabbfa0feb..825a306bc93ac7164be0990f0ee37402d3e292be 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -566,6 +566,10 @@ generate_certificate(gnutls_privkey_t * ret_key,
                                if (result)
                                        usage |=
                                            GNUTLS_KEY_KEY_ENCIPHERMENT;
+                       } else if (pk == GNUTLS_PK_ECDH_X25519 ||
+                                   pk == GNUTLS_PK_ECDH_X448) {
+                                /* X25519 and X448 are only for key agreement. */
+                                usage |= GNUTLS_KEY_KEY_AGREEMENT;
                        } else {
                                usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
                        }
Mirror of https://gitlab.com/gnutls/gnutls.git