From: Peter Krempa <pkrempa@redhat.com>
Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
algorithms must not have 'keyEncipherment' present, but our code did
check it. Add exemption for known algorithms which don't use it.
[1] https://datatracker.ietf.org/doc/rfc8813/
[2] https://datatracker.ietf.org/doc/rfc5480
Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
1 file changed, 25 insertions(+), 8 deletions(-)
diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
index 1befbe06bc..f197995633 100644
--- a/src/rpc/virnettlscert.c
+++ b/src/rpc/virnettlscert.c
@@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
}
}
if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
- if (critical) {
- virReportError(VIR_ERR_SYSTEM_ERROR,
- _("Certificate %1$s usage does not permit key encipherment"),
- certFile);
- return -1;
- } else {
- VIR_WARN("Certificate %s usage does not permit key encipherment",
- certFile);
+ int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
+
+ /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
+ * algorithms must not have 'keyEncipherment' present.
+ *
+ * [1] https://datatracker.ietf.org/doc/rfc8813/
+ * [2] https://datatracker.ietf.org/doc/rfc5480
+ */
+
+ switch (alg) {
+ case GNUTLS_PK_ECDSA:
+ case GNUTLS_PK_ECDH_X25519:
+ case GNUTLS_PK_ECDH_X448:
+ break;
+
+ default:
+ if (critical) {
+ virReportError(VIR_ERR_SYSTEM_ERROR,
+ _("Certificate %1$s usage does not permit key encipherment"),
+ certFile);
+ return -1;
+ } else {
+ VIR_WARN("Certificate %s usage does not permit key encipherment",
+ certFile);
+ }
}
}
}
--
2.49.0On Tue, Jun 17, 2025 at 03:43:59PM +0200, Peter Krempa via Devel wrote:
> From: Peter Krempa <pkrempa@redhat.com>
>
> Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
> algorithms must not have 'keyEncipherment' present, but our code did
> check it. Add exemption for known algorithms which don't use it.
>
> [1] https://datatracker.ietf.org/doc/rfc8813/
> [2] https://datatracker.ietf.org/doc/rfc5480
>
> Closes: https://gitlab.com/libvirt/libvirt/-/issues/691
> Signed-off-by: Peter Krempa <pkrempa@redhat.com>
> ---
> src/rpc/virnettlscert.c | 33 +++++++++++++++++++++++++--------
> 1 file changed, 25 insertions(+), 8 deletions(-)
Surprised we didn't need a test update, but it seems we don't test
any EC certs, so that's why.
>
> diff --git a/src/rpc/virnettlscert.c b/src/rpc/virnettlscert.c
> index 1befbe06bc..f197995633 100644
> --- a/src/rpc/virnettlscert.c
> +++ b/src/rpc/virnettlscert.c
> @@ -163,14 +163,31 @@ static int virNetTLSCertCheckKeyUsage(gnutls_x509_crt_t cert,
> }
> }
> if (!(usage & GNUTLS_KEY_KEY_ENCIPHERMENT)) {
> - if (critical) {
> - virReportError(VIR_ERR_SYSTEM_ERROR,
> - _("Certificate %1$s usage does not permit key encipherment"),
> - certFile);
> - return -1;
> - } else {
> - VIR_WARN("Certificate %s usage does not permit key encipherment",
> - certFile);
> + int alg = gnutls_x509_crt_get_pk_algorithm(cert, NULL);
> +
> + /* Per RFC8813 [1] which amends RFC5580 [2] ECDSA, ECDH, and ECMQV
> + * algorithms must not have 'keyEncipherment' present.
> + *
> + * [1] https://datatracker.ietf.org/doc/rfc8813/
> + * [2] https://datatracker.ietf.org/doc/rfc5480
> + */
> +
> + switch (alg) {
> + case GNUTLS_PK_ECDSA:
> + case GNUTLS_PK_ECDH_X25519:
> + case GNUTLS_PK_ECDH_X448:
> + break;
> +
> + default:
> + if (critical) {
> + virReportError(VIR_ERR_SYSTEM_ERROR,
> + _("Certificate %1$s usage does not permit key encipherment"),
> + certFile);
> + return -1;
> + } else {
> + VIR_WARN("Certificate %s usage does not permit key encipherment",
> + certFile);
> + }
> }
> }
> }
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2026 Red Hat, Inc.