diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-09-15 20:13:39 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2012-09-15 20:31:56 +0200 |
commit | b319a0b901167e993a297bf0cdea2249de7c1b19 (patch) | |
tree | 97cbfba75751806d2c3c9aa3874a4fa7c9756725 | |
parent | 6220817e240ae0da6821f14e8f85b61bfa8b2ee4 (diff) | |
download | gnutls-b319a0b901167e993a297bf0cdea2249de7c1b19.tar.gz |
Do not ask unnecessary questions when signing a certificate (request).
-rw-r--r-- | src/certtool.c | 30 |
1 files changed, 19 insertions, 11 deletions
diff --git a/src/certtool.c b/src/certtool.c index 7cc88d5997..c438642209 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -509,9 +509,8 @@ generate_certificate (gnutls_privkey_t * ret_key, pk = gnutls_x509_crt_get_pk_algorithm (crt, NULL); - if (pk != GNUTLS_PK_DSA) - { /* DSA keys can only sign. - */ + if (pk == GNUTLS_PK_RSA) + { /* DSA and ECDSA keys can only sign. */ result = get_sign_status (server); if (result) usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; @@ -1828,7 +1827,7 @@ generate_request (common_info_st * cinfo) gnutls_x509_privkey_t xkey; gnutls_pubkey_t pubkey; gnutls_privkey_t pkey; - int ret, ca_status, path_len; + int ret, ca_status, path_len, pk; const char *pass; unsigned int usage = 0; @@ -1859,6 +1858,8 @@ generate_request (common_info_st * cinfo) pubkey = load_public_key_or_import (1, pkey, cinfo); + pk = gnutls_pubkey_get_pk_algorithm (pubkey, NULL); + /* Set the DN. */ get_country_crq_set (crq); @@ -1898,14 +1899,21 @@ generate_request (common_info_st * cinfo) error (EXIT_FAILURE, 0, "set_basic_constraints: %s", gnutls_strerror (ret)); - ret = get_sign_status (1); - if (ret) - usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + if (pk == GNUTLS_PK_RSA) + { + ret = get_sign_status (1); + if (ret) + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; - ret = get_encrypt_status (1); - if (ret) - usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; - else + /* Only ask for an encryption certificate + * if it is an RSA one */ + ret = get_encrypt_status (1); + if (ret) + usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; + else + usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; + } + else /* DSA and ECDSA are always signing */ usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; if (ca_status) |