certtool: when making X25519 or X448 certs, always use "key agreement"

This is related to #1227 -- but in this case, it's enforcing a requirement of RFC 8410 §5. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2021-05-07 22:25:41 -0400
committer: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2021-09-17 16:33:07 -0400
commit: c5b657bfc8e0291912c4ba50a8fa0f6e0082cb53 (patch)
tree: e08d497724c24a097295bd141d5fd660dd17d6d0
parent: d6bb88cd7a84874da10fa493841244aad6eae863 (diff)
download: gnutls-c5b657bfc8e0291912c4ba50a8fa0f6e0082cb53.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/certtool.c b/src/certtool.c
index 1e0814a51f..825a306bc9 100644
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -566,6 +566,10 @@ generate_certificate(gnutls_privkey_t * ret_key,
 				if (result)
 					usage |=
 					    GNUTLS_KEY_KEY_ENCIPHERMENT;
+			} else if (pk == GNUTLS_PK_ECDH_X25519 ||
+                                   pk == GNUTLS_PK_ECDH_X448) {
+                                /* X25519 and X448 are only for key agreement. */
+                                usage |= GNUTLS_KEY_KEY_AGREEMENT;
 			} else {
 				usage |= GNUTLS_KEY_DIGITAL_SIGNATURE;
 			}
author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>	2021-05-07 22:25:41 -0400
committer	Daniel Kahn Gillmor <dkg@fifthhorseman.net>	2021-09-17 16:33:07 -0400
commit	c5b657bfc8e0291912c4ba50a8fa0f6e0082cb53 (patch)
tree	e08d497724c24a097295bd141d5fd660dd17d6d0
parent	d6bb88cd7a84874da10fa493841244aad6eae863 (diff)
download	gnutls-c5b657bfc8e0291912c4ba50a8fa0f6e0082cb53.tar.gz