From: Peter Krempa <pkrempa@xxxxxxxxxx> Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV algorithms must not have 'keyEncipherment' present, but our code did check it. Add exemption for known algorithms which don't use it. [1] https://datatracker.ietf.org/doc/rfc8813/ [2] https://datatracker.ietf.org/doc/rfc5480 Closes: https://gitlab.com/libvirt/libvirt/-/issues/691 Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> --- src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++-------- 1 file changed, 25 insertions(+), 8 deletions(-) diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c index 1befbe06bc..f197995633 100644 --- a/src/rpc/virnettlscert.c +++ b/src/rpc/virnettlscert.c @@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert, } } if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) { - if (critical) { - virReportError(VIR_ERR_SYSTEM_ERROR, - _("Certificate %1$s usage does not permit key encipherment"), - certFile); - return -1; - } else { - VIR_WARN("Certificate %s usage does not permit key encipherment", - certFile); + int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL); + + /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV + * algorithms must not have 'keyEncipherment' present. + * + * [1] https://datatracker.ietf.org/doc/rfc8813/ + * [2] https://datatracker.ietf.org/doc/rfc5480 + */ + + switch (alg) { + case GNUTLS_PK_ECDSA: + case GNUTLS_PK_ECDH_X25519: + case GNUTLS_PK_ECDH_X448: + break; + + default: + if (critical) { + virReportError(VIR_ERR_SYSTEM_ERROR, + _("Certificate %1$s usage does not permit key encipherment"), + certFile); + return -1; + } else { + VIR_WARN("Certificate %s usage does not permit key encipherment", + certFile); + } } } } -- 2.49.0
