diff options
author | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-05-07 22:25:41 -0400 |
---|---|---|
committer | Daniel Kahn Gillmor <dkg@fifthhorseman.net> | 2021-09-17 16:33:07 -0400 |
commit | c5b657bfc8e0291912c4ba50a8fa0f6e0082cb53 (patch) | |
tree | e08d497724c24a097295bd141d5fd660dd17d6d0 | |
parent | d6bb88cd7a84874da10fa493841244aad6eae863 (diff) | |
download | gnutls-c5b657bfc8e0291912c4ba50a8fa0f6e0082cb53.tar.gz |
certtool: when making X25519 or X448 certs, always use "key agreement"
This is related to #1227 -- but in this case, it's enforcing a
requirement of RFC 8410 ยง5.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-rw-r--r-- | src/certtool.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/certtool.c b/src/certtool.c index 1e0814a51f..825a306bc9 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -566,6 +566,10 @@ generate_certificate(gnutls_privkey_t * ret_key, if (result) usage |= GNUTLS_KEY_KEY_ENCIPHERMENT; + } else if (pk == GNUTLS_PK_ECDH_X25519 || + pk == GNUTLS_PK_ECDH_X448) { + /* X25519 and X448 are only for key agreement. */ + usage |= GNUTLS_KEY_KEY_AGREEMENT; } else { usage |= GNUTLS_KEY_DIGITAL_SIGNATURE; } |